From the monthly archives:
Just a reminder to head over to malwarechallenge.info to start the malware challenge that was mentioned on the last Security Justice podcast as well as a blog post that I did a few days ago. The contest runs from October 1st – 26th and is open to everyone! May the force be with you…
{ Comments on this entry are closed }
{ Comments on this entry are closed }
VNCcrack is a fast offline password cracker for the VNC challenge/response protocol. If one can somehow observe a VNC authentication, then VNCcrack can run a dictionary attack against the exchange and attempt to find the password.
It works by scanning a pcap file (as generated by the common tcpdump tool) for VNC challenge/response exchanges, then checks against a preexisting wordlist (reading from stdin is also supported, allowing the use of John the Ripper, see the documentation in the tarball for further information). It is quite fast and can check well over a million passwords a second on a 2.4 GHz Core2 processor
{ Comments on this entry are closed }
Our lab holds a Capture the Flag (CTF) hacking contest as part of CSAW each year and the tagline for it is:
“A digital cyber attack and defense competition in detecting application security vulnerabilities.”
…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! 
. I believe that attack has merits on its own, but that is a discussion for another time.
CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.
In CSAW CTF, participants are given a series of challenges divided into different categories and each challenge is worth a specified number of points. In reality, a “challenge” is a small bit of code with a single security vulnerability implanted in it. “Solving” the challenge means exploiting this vulnerability. The challenge spits out a secret password upon completion which the participant can redeem for points on the scoreboard. We relate this to events like the Defcon Pre-quals without the requirement that participants solve easier challenges first to reach the harder ones. We try to keep a similarly wide breadth of categories; this year we had Web Applications, Binary Exploitation, Reverse Engineering, Trivia, and Bug Hunting. If you’re interested in what the challenges were then pay attention to, what will likely be called, the OWASP CTF Project which this year’s CSAW CTF has been donated to. I expect all that to be ready within a week or two and I will definitely make a separate blog post about it.
This year’s CSAW CTF was our largest ever. We had 46 teams, over 150 individual players, and 50 different schools compete in it (all students too!), putting us at one of the largest CTF competitions world-wide. It’s gotten to the point where I can name a few, and only a few, other competitions that are larger than we are.
CSAW08 CTF started at 8pm EST on Friday, September 19th and it quickly become clear which teams would end up in the top 10. MyLittlePwnies, a team of 8 from NPS, methodically solved a majority of the challenges that very first night and got off to an early lead. To my surprise, a small handful of other teams trailed close behind and before the night was over RPISEC passed them by! This was not good news for me because between trying to work out the kinks people were finding and answering questions (it was basically a one-man-show this year), I didn’t have much time to put up new challenges. Let that be a lesson for everyone else planning CTFs out there: always work with a partner, no matter how smooth you think the scoring system is!
As a low-cost way of getting a binary exploitation challenge up, I gave everyone Lurene Grenier’s Advanced WIndows Buffer Overflow (AWBO) #2 to chew on. For a challenge that comes with the warning:
“This next test could take a very, very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline.”
… I expected this to buy me some time but 5 teams solved AWBO#2 and some did it within 2 hours. One team even solved it on Vista just because they had no other Windows installations available. Those teams were: TeamTefaye, RPISEC, MyLittlePwnies, teamSparta, and FluxFingers. Congratulations guys, that was really impressive!
The final trivia question for that night was: What does this code do? 31C04089460C89C34089460804048946108D4E08B066CD8089C231
C0C646080266C7460A358289460C8956118D4E08894E154389D980
C10E894E198D4E11B066CD80B0664343CD8031C043894615894619
B066CD8089C331C089460C89C1B03FCD8041B03FCD8041B03FCD80
EB1A5E31C08846098D1E895E0B89460FB00B89F38D4E0B8D560FCD80
E8E1FFFFFF2F62696E2F62617368
Right after I posted it, I made sure to remind MyLittlePwnies since they were asking me for something exploitation or reversing related. Here is my conversation with one of their team members (hint: check the timestamps).
(1:52:15 AM) dan: btw, you saw the trivia right?
(1:53:54 AM) blacksheep: yup, just saw that.
(1:54:34 AM) blacksheep: trivia answer is
(1:55:02 AM) blacksheep: bind port backdoor shell on port 13698 on a linux system with /bin/bash as the shell
I gave them extra points for such a fast answer . The second day ended with RPISEC in first, by a small margin, over Team Tefaye and Pwntatoes in a distant third.
The last day of the competition was a short one, the game was over at 3pm EST on Sunday, September 21st. The only challenges any teams really had time to do were some of the more open-ended ones like the “Client-side Challenge” which I’ll now explain. In the Client-side Challenge, you are taking a class with “Joe the TA” and you really want to break into either his e-mail or his local computer for advance information about tests and homeworks. He handed out his e-mail to you at the beginning of the semester and you know that he logs in to a webmail installation conveniently hosted on the CTF server. “Joe” also tends to click on any link that looks convincing. Teams were given 500 points for access to his mail spool, 1000 points for access to his filesystem, and 400 points if they could persist that access across the “semester” (a rootkit, an email forward, a persistent XSS, etc). Let me tell you, NEVER click on a link from Team Tefaye! Their first try set up an e-mail forward, a persistent XSS, and stole my session cookies while forwarding me to the intended link target described in their e-mail all in a single action. They returned later and trojaned the box for an extra 1000 points. Damn! This finally put Team Tefaye in a solid lead over RPISEC which they were able to maintain until the end of the contest.
Here’s the final scoreboard:
Team Tefaye took first, RPISEC took second, and Pwntatoes took third. The Down Ownerz got the bonus prize for being the youngest team playing. Congratulations guys!
There was a lot of great stuff that went on last weekend and I’m sorry I couldn’t get to all of it in this blog post. If any of the people who played have more to say, post it in a comment.
rgov from RPISEC: “(Bonus: I was able to use cross-site scripting to RickRoll most of the players and some of the organizers.)” Yep, NoScript doesn’t work so well when you whitelist the domain 
Rob Escriva from RPISEC: “This weekend I’ll be doing a writeup on a bug I found in the “leaky” challenge of the 2008 CSAW contest.”
I almost forgot, I have a few people to thank for helping out in various ways with CTF: Alicia Bozyk, Aleksey, Dean De Beer, Stephen Ridley, Michael Aiello, and Eric Hulse. Thanks guys!
{ Comments on this entry are closed }
I am excited to announce that I am now part of the GNUCITIZEN Blogsecurify social media “tiger team”. I am officially a blogger for Blogsecurify and will be posting about security issues/vulnerabilities in social media applications. As you may already know, I have been doing a lot of research recently into Facebook privacy and security. Blogsecurify/GNUCITIZEN is the perfect outlet for the research I am doing as well as other projects I am about to work on. GNUCITIZEN has always been about cutting edge, progressive thinking security research and I am looking forward to working with others that have a passion for social media security.
Do you have a Wordpress blog? If you do then you really need to check out the Blogsecurify tool. The Blogsecurify tool was basically formed from the wp-scanner project and was a joint effort between GNUCITIZEN and BlogSecurity.net. The tool is an online Wordpress vulnerability scanner. It will scan your Wordpress blog via a plugin that you activate on your end. It will then run a series of checks and let you know the results. I am under the assumption that this scanner will evolve with the ability to scan other types of blogging software and social media applications. If you are interested in helping out with research and/or blogging on Blogsecurify check out this post.
Stay tuned for my Facebook Privacy & Security Guide release and details on other social media security related projects I plan on working on through this site and now blogsecurify.
{ Comments on this entry are closed }
Tyler (aka: The Security Shoggoth) announced on the Security Justice podcast last week about the “Malware Challenge” that begins October 1st. I think this is a great idea and is a fantastic way to learn about how malware works and how to analyze it.
“Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.”
Yes, this is a real piece of malware that you will analyze! More about the malware and the contest:
“Participants in the malware challenge will download the malware, analyze it and answer questions based on their findings. The answers to these questions will be evaluated by the judges in order to determine who the winners are. At a minimum, submissions should include the answers to the questions. However, submissions which also include a narrative on such things as how the malware was analyzed or how the analysis lab was set up will be more likely to win. Be creative.”
What are the prizes? So far they have a Best Buy gift card, IDA Pro Book, Full version of IDA Pro software, Hacker game from Steve Jackson Games and many more prizes as well. For the most up-to-date-list, check here.
Even if you have never analyzed malware before…everyone is encouraged to participate! This is a great way to learn about how malware works and also a way to develop a new emerging skill set! The contest site has some links for you to get started if you never did malware type analysis so you have some place to start. Winners will be announced at the 2008 Ohio Information Security Summit on October 31st. You don’t need to present to win but there will be special prizes for those that can be there. Good luck to everyone participating!
{ Comments on this entry are closed }
{ Comments on this entry are closed }
Today’s panel on NAC was a blast! Mike Fratto mainly took questions from the audience. When there were slow spots, he asked some tough questions of his own. I prefer this approach to panels. Customers have the most interesting, real-world questions!
I was surprised how many of today’s questions focused on standards. The attendees were impatient with the delays in getting NAC standards implemented. I share their impatience. The TNC standards have been around for more than four years. They’ve been implemented by Juniper, Microsoft, and dozens of other vendors. Why don’t other vendors just implement them?
Steve Karkula of Nokia was a welcome addition to the usual cast of characters on a NAC panel: Cisco, Microsoft, and TCG. Steve is involved with Nokia’s SourceFire product. He pointed out the value of including behavior monitoring in a NAC system. I couldn’t agree more! These days, NAC is much more than checking the health of devices when they connect to your network. State-of-the-art NAC systems customize access for each user or role and monitor behavior so they can block misbehaving endpoints. Really cool systems link identity and behavior monitoring so that they know what behavior’s appropriate for each user!
An interesting followup question was how to monitor behavior when more network traffic is encrypted. The panelists had a variety of answers: doing monitoring on the servers, on the endpoints (only if you trust them!), or at the edge of the data center (if you terminate the encryption there, as is often done with load balancers, SSL offload devices, and such).
All in all, it was an interesting panel. I’m sorry if you couldn’t be there. I hope to see you at one of my upcoming talks!
{ Comments on this entry are closed }
Thanks to Bret for being a good sport and writing up this fantastic review review of the IronKey he won from us a few months back. Thanks Bret!!!
“I have been using software based encryption on USB drives for several
years now (Truecrypt). So imagine my happiness when the IronKey burst
onto the scene. Now there is no longer any need for 3rd party encryption
software to secure what ever I need to carry with me on 1, 2, 4, and now
8GB limits.
Having received a 1GB unit a few months ago, I decided to test and
review the unit. Taking the IronKey out of the box, I was amazed at the
apparent sturdiness of the drive. Rock solid, is the phrase that comes
to mind.
The drive shipped with FireFox (FF) 2.0.0.12 installed on it.
Thankfully, it can be upgraded using the built in updater to the latest
FF2 Version (2.0.0.16). FF3 was listed as incompatible on Ironkey.com
(or was as of June 1st). Ontop of FF, there is the IronKey toolbar,
thats responsible for the input, store, and output of credentials.
Though said toolbar seems only 100% compatible with IE7.
Along with the toolbar, but specific to the FF installed on the unit, is
TOR. The FF/TOR feature sends your web data through a supposedly secure
TOR network. This network is maintained by IronKey and is, at least in
my opinion, better then having your data outputted to a hostile TOR
endpoint.
Besides FF, you are given a nice set of applications. One of which is a
built in password generator. You are also given a manager for stored
credentials. This manager ties into the toolbars for website credentials
and unfortunately, has no apparent functionally for non-website based
passwords/usernames.
After setup, you are allowed 10 wrong password entries, when attempting
to access the unit. At 9 you are warned that 1 more incorrect entry will
result in hard erase of all info stored on unit. Supposedly there is
little possibility of personal injury when this erase occurs. A ‘nuked’
IronKey flashes a different color on the LED to let you know its ‘nuked’.”
It sounds good to me!!! Let us know what you’re using and if you’d go out and buy an IronKey!
{ Comments on this entry are closed }
From a data mining and visualization perspective the conferences in Las Vegas offered a couple of highlights for me. First of all Raffy’s book Applied Security Visualization was finally launched and I had the first chance to see and hold the book with the DAVIX CD in my own hands at the bookseller booth. After hours of reviewing the book and building the live CD during the last eight months, it was a great relief that it was finally done.
I very much anticipated Greg Conti’s and Erik Dean’s talk on binary visualization (PPT Slides). Their newest tools DanglyBytes allows for interactive analysis of binary data in multiple views. The different views decode data in multiple ways. There is a view that just prints the bit stream in a window while another decodes a series of bytes as RGB value. Their demo of a Windows error dump was a revelation: Using a slider on one of the views they could adjust the column width of the view. While moving the slider Google and Wikipedia images began to appear out of the noise. I am looking forward to play around with it myself.
Another interesting discovery at the Blackhat vendor area was the company Lookingglass with their software as a service (SaaS) called ScoutVision. They have built an infrastructure that stores Internet meta information in a database and provides its customers a client software to access and visualize this information remotely. For well paying customers they offer a service where clients can tie in their own IT data.
While preparing for the DAVIX Visualization Workshop in the CTF lounge, I saw a dude visualizing network traffic in Processing. I approached him and we started chatting about visualization. Interestingly he did neither know about secviz.org nor DAVIX. Over the course of DEFCON I found out that many people are toying around with visualization as well but there is no interaction between these people. This is definitively a thing that we should be working on over the upcoming months. I hope that DAVIX will help to contract people interested in security visualization.
On Sunday our DAVIX Visualization Workshop was on (Slides). During our introductory talk on DAVIX there were about 120 attendees. We were very surprised to see such an interest although many DEFCON participants have already gone home and it was during the last three hours of DEFCON. So there is definitively potential for future activities.
{ Comments on this entry are closed }
